summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRushan Chen <rushan.chen@mongodb.com>2021-12-15 10:36:27 +0000
committerEvergreen Agent <no-reply@evergreen.mongodb.com>2021-12-15 11:24:31 +0000
commite0d5fbeb1075e0ab903a190e514d19239c5e9c0d (patch)
tree9b70a908b8f8652f1c0fc91bbd91814fba94303d
parent85ce0c4d704abe540242dca01f8d5b86d15d55ce (diff)
downloadmongo-e0d5fbeb1075e0ab903a190e514d19239c5e9c0d.tar.gz
SERVER-61931 add additional privileges on system_buckets collection for cluster manager role
-rw-r--r--src/mongo/db/auth/builtin_roles.cpp3
-rw-r--r--src/mongo/db/auth/builtin_roles_test.cpp26
2 files changed, 28 insertions, 1 deletions
diff --git a/src/mongo/db/auth/builtin_roles.cpp b/src/mongo/db/auth/builtin_roles.cpp
index d210914a6f9..74461687ad5 100644
--- a/src/mongo/db/auth/builtin_roles.cpp
+++ b/src/mongo/db/auth/builtin_roles.cpp
@@ -457,6 +457,9 @@ void addClusterManagerPrivileges(PrivilegeVector* privileges) {
Privilege(ResourcePattern::forAnyNormalResource(), clusterManagerRoleDatabaseActions));
Privilege::addPrivilegeToPrivilegeVector(
privileges,
+ Privilege(ResourcePattern::forAnySystemBuckets(), clusterManagerRoleDatabaseActions));
+ Privilege::addPrivilegeToPrivilegeVector(
+ privileges,
Privilege(ResourcePattern::forDatabaseName("config"), clusterManagerRoleDatabaseActions));
Privilege::addPrivilegeToPrivilegeVector(
privileges,
diff --git a/src/mongo/db/auth/builtin_roles_test.cpp b/src/mongo/db/auth/builtin_roles_test.cpp
index 283c7f57df7..3ae43f1c2a6 100644
--- a/src/mongo/db/auth/builtin_roles_test.cpp
+++ b/src/mongo/db/auth/builtin_roles_test.cpp
@@ -92,7 +92,7 @@ TEST(BuiltinRoles, getBuiltinRolesForDB) {
ASSERT_GTE(adminRoles.size(), testRoles.size());
}
-TEST(BuiltinRoles, addPrivilegsForBuiltinRole) {
+TEST(BuiltinRoles, addPrivilegesForBuiltinRole) {
PrivilegeVector privs;
ASSERT(auth::addPrivilegesForBuiltinRole(RoleName("read", "admin"), &privs));
ASSERT_EQ(privs.size(), 2);
@@ -120,5 +120,29 @@ TEST(BuiltinRoles, addPrivilegsForBuiltinRole) {
}
}
+TEST(BuiltinRoles, addSystemBucketsPrivilegesForBuiltinRoleClusterManager) {
+ PrivilegeVector privs;
+ ASSERT(auth::addPrivilegesForBuiltinRole(RoleName("clusterManager", "admin"), &privs));
+ ASSERT_EQ(privs.size(), 9);
+
+ const auto systemBucketsResourcePattern = ResourcePattern::forAnySystemBuckets();
+
+ const ActionSet clusterManagerRoleDatabaseActionSet({
+ ActionType::clearJumboFlag,
+ ActionType::splitChunk,
+ ActionType::moveChunk,
+ ActionType::enableSharding,
+ ActionType::splitVector,
+ ActionType::refineCollectionShardKey,
+ ActionType::reshardCollection,
+ });
+
+ for (const auto& priv : privs) {
+ auto resourcePattern = priv.getResourcePattern();
+ if (resourcePattern == systemBucketsResourcePattern) {
+ ASSERT(priv.getActions() == clusterManagerRoleDatabaseActionSet);
+ }
+ }
+}
} // namespace
} // namespace mongo